Slashdot Mirror

← Back to Stories (view on slashdot.org)

Gnutella "Virus" Roams

Posted by ryuzaki0 on from the and-when-the-doctor-said-I-didn't-have-worms dept.

An anonymous reader noted a CNN story about a Gnutella "Virus" floating around. It only affects windows, and its actually more of a trojan then a virus, but once infected, it hijaacks your gnutella node to serve itself to other unsuspecting gnutella users. I'm sure this is only the beginning.

7 of 125 comments (clear)

  1. proof-of-concept by muffen · · Score: 4

    First of all I would like to say that this is a proof-of-concept worm. It is written by Mandragore, a member of the spanish-speaking viruswriting group 29A (666 in hex). If you look at all viruses/worm released by 29A, you would see that they are almost always proof-of-concept or very complex.
    Secondly, this was released this weekend, why the story now? Also, regarding the post about viruses, why people write them, I would have to say that stories like this (on slashdot, cnn, zdnet or whatever) is probably what keeps the viruses coming. PUBLICITY!
    Imagine being De Guzman (Loveletter Author), 20 years old in the Phillipines, knowing that you will never leave the place. Imagine writing a 50 line VBScript that does 3 rounds around the world in 1 hour. Thats power I guess :)

  2. Re:Absurd.. by BdosError · · Score: 5
    Microsoft has an even better way hidden within this system. The .shs extension (ShellScrap) is executable as a .vbs is, and is never displayed, even if you turn off "hide extensions for known types". There's also an individual setting for each extension that you can set to always show extensions for this type of file, and that still won't make the .shs show up. Brilliant piece of work that. I believe that's how one of the early VBScript worms worked.

    BdosError

    --
    Complexity is Easy. Simplicity is Hard.
  3. Absurd.. by PHr0D · · Score: 5

    This looks like its related to windows default 'simple mode' where it hides the extentions of 'known' file types (i.e. *.exe).. So if you call a file 'evilvirus.bmp.exe' Windows will hide the exe extention and to a luser it appears to be a graphic file. -Lovely, VB, etc.. etc.. Is there any way we could make Windows *more* virus/worm friendly?


    --------------------------------------

    --
    --------------------------------------
    Vices - what I lack in originality, I make up for in volume.
    1. Re:Absurd.. by KilobyteKnight · · Score: 5

      Is there any way we could make Windows *more* virus/worm friendly?
      Top 10 ways to make Windows *more* virus/worm friendly:

      10. MS Virus SDK
      9. "START virus" button on task bar
      8. Paperclip with virus hints
      7. "Auto replicate and spread" option in Outlook
      6. WORM.CAB
      5. Bundle virus protection in Windows
      4. Require Windows virus updates be done via Hotmail
      3. Virus32.dll
      2. Tell Microsoft that people are giving away viruses for free in an "Un-American" way.
      1. Two words: DOT NET

      --
      When will Windows be ready for the desktop?
  4. Yes, in the first generation by First+Person · · Score: 5

    Your description is excellent. I would, however, view this first generation as more 'proof of concept' than anything else. Devising variants which return back variable sized documents or which return 'correct' sizes for a limites set of specific requests can't be long in coming. Likewise you may assume that future versions will examine the request strings and reply only to a subset and only some of the time. Counter measures will develop, of cours, and so will the complexity of the trojan horses.

    I think a bigger concern is the potential for this to undermine anonymous P2P networks. Inspired by the RIA, MPAA, hostile governments, etc., many efforts are being made to develop systems which fully hide the identity of the parties involved. It seems that this would also hide the origin of any trojans injected into the system. If users are no longer able to trust the content they receive, will they continue to use these systems?

    --
    Given one hour to live, the student replied: "I'd spend it with professor FP who can make an hour seem like a lifetime."
  5. No hijacking here by Wonko42 · · Score: 5
    CmdrTaco's statement is a little misleading. The trojan does not "hijack" your Gnutella node. When executed, it sniffs network traffic looking for Gnutella search requests. When it sees one, no matter what the request is for, it sends back a positive match to the request. If the remote user downloads the matched file (which is always 8,192 bytes in size), they'll get the trojan.

    It's pretty easy to determine which Gnutella users are infected. Just do a search for 'nsdkjfnlnponf' or some other completely nonsense phrase. You'll get a bunch of matches, all files 8,192 bytes long. These are infected nodes.

    --

  6. This is proof of concept, and not too dangerous by Fross · · Score: 5

    I've seen this over the last couple of weeks on Gnutella servers. There's been some other discussion about it, I believe on The Register, and i've done a bit of nosing round myself.

    Ultimately this is not a threat. It is quite obvious to spot (if someone is searching for, for instance "chemical brothers" it'll return "chemical brothers.exe", which is an unexpected result, ie no track name and not an mp3 or so), though i have seen a variation that tries to disguise the fact that it is an exe (i've seen some spurious entries in "file type" entries under the Gnucleus client), and even if infected, your machine runs as a server for the virus - as far as i can tell, this won't make your machine run as a server when you're not running a gnutella client/server anyway, it'll simply return itself when someone's search hits your machine.

    Many (sensible) clients already screen out several types of files, such as .vbs, and .exe - these won't be susceptible to the worm at all. All the worm does is relpicate itself, nothing else. Though that's not to say someone else isn't going to use this mechanism to write something a lot nastier. But for now, it should only affect the terminally stupid or extremely unwary :) and Windows users to boot! ;)

    /Fross